adsasdasd

2025-12-08 11:51:00 +00:00
parent affa783a4f
commit da3b45d1c7
14 changed files with 1763 additions and 19 deletions
--- a/backend/igny8_core/api/base.py
+++ b/backend/igny8_core/api/base.py
@@ -21,6 +21,21 @@ class AccountModelViewSet(viewsets.ModelViewSet):
            user = getattr(self.request, 'user', None)

            if user and hasattr(user, 'is_authenticated') and user.is_authenticated:
+                # Bypass filtering for superusers - they can see everything
+                if getattr(user, 'is_superuser', False):
+                    return queryset
+                
+                # Bypass filtering for developers
+                if hasattr(user, 'role') and user.role == 'developer':
+                    return queryset
+                
+                # Bypass filtering for system account users
+                try:
+                    if hasattr(user, 'is_system_account_user') and user.is_system_account_user():
+                        return queryset
+                except Exception:
+                    pass
+                
                try:
                    account = getattr(self.request, 'account', None)
                    if not account and hasattr(self.request, 'user') and self.request.user and hasattr(self.request.user, 'is_authenticated') and self.request.user.is_authenticated:
@@ -239,6 +254,29 @@ class SiteSectorModelViewSet(AccountModelViewSet):
            
            # Check if user is authenticated and is a proper User instance (not AnonymousUser)
            if user and hasattr(user, 'is_authenticated') and user.is_authenticated and hasattr(user, 'get_accessible_sites'):
+                # Bypass site filtering for superusers and developers
+                # They already got unfiltered queryset from parent AccountModelViewSet
+                if getattr(user, 'is_superuser', False) or (hasattr(user, 'role') and user.role == 'developer'):
+                    # No site filtering for superuser/developer
+                    # But still apply query param filters if provided
+                    try:
+                        query_params = getattr(self.request, 'query_params', None)
+                        if query_params is None:
+                            query_params = getattr(self.request, 'GET', {})
+                        site_id = query_params.get('site_id') or query_params.get('site')
+                    except AttributeError:
+                        site_id = None
+                    
+                    if site_id:
+                        try:
+                            site_id_int = int(site_id) if site_id else None
+                            if site_id_int:
+                                queryset = queryset.filter(site_id=site_id_int)
+                        except (ValueError, TypeError):
+                            pass
+                    
+                    return queryset
+                
                try:
                    # Get user's accessible sites
                    accessible_sites = user.get_accessible_sites()
--- a/backend/igny8_core/api/permissions.py
+++ b/backend/igny8_core/api/permissions.py
@@ -26,11 +26,27 @@ class HasTenantAccess(permissions.BasePermission):
    """
    Permission class that requires user to belong to the tenant/account
    Ensures tenant isolation
+    Superusers, developers, and system account users bypass this check.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
+        # Bypass for superusers
+        if getattr(request.user, 'is_superuser', False):
+            return True
+        
+        # Bypass for developers
+        if hasattr(request.user, 'role') and request.user.role == 'developer':
+            return True
+        
+        # Bypass for system account users
+        try:
+            if hasattr(request.user, 'is_system_account_user') and request.user.is_system_account_user():
+                return True
+        except Exception:
+            pass
+        
        # Get account from request (set by middleware)
        account = getattr(request, 'account', None)
        
@@ -58,11 +74,20 @@ class IsViewerOrAbove(permissions.BasePermission):
    """
    Permission class that requires viewer, editor, admin, or owner role
    For read-only operations
+    Superusers and developers bypass this check.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
+        # Bypass for superusers
+        if getattr(request.user, 'is_superuser', False):
+            return True
+        
+        # Bypass for developers
+        if hasattr(request.user, 'role') and request.user.role == 'developer':
+            return True
+        
        # Check user role
        if hasattr(request.user, 'role'):
            role = request.user.role
@@ -77,11 +102,20 @@ class IsEditorOrAbove(permissions.BasePermission):
    """
    Permission class that requires editor, admin, or owner role
    For content operations
+    Superusers and developers bypass this check.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
+        # Bypass for superusers
+        if getattr(request.user, 'is_superuser', False):
+            return True
+        
+        # Bypass for developers
+        if hasattr(request.user, 'role') and request.user.role == 'developer':
+            return True
+        
        # Check user role
        if hasattr(request.user, 'role'):
            role = request.user.role
@@ -96,11 +130,20 @@ class IsAdminOrOwner(permissions.BasePermission):
    """
    Permission class that requires admin or owner role only
    For settings, keys, billing operations
+    Superusers and developers bypass this check.
    """
    def has_permission(self, request, view):
        if not request.user or not request.user.is_authenticated:
            return False
        
+        # Bypass for superusers
+        if getattr(request.user, 'is_superuser', False):
+            return True
+        
+        # Bypass for developers
+        if hasattr(request.user, 'role') and request.user.role == 'developer':
+            return True
+        
        # Check user role
        if hasattr(request.user, 'role'):
            role = request.user.role
--- a/backend/igny8_core/api/throttles.py
+++ b/backend/igny8_core/api/throttles.py
@@ -22,9 +22,22 @@ class DebugScopedRateThrottle(ScopedRateThrottle):
    def allow_request(self, request, view):
        """
        Check if request should be throttled.
-        Only bypasses for DEBUG mode or public requests.
-        Enforces per-account throttling for all authenticated users.
+        Bypasses for: DEBUG mode, superusers, developers, system accounts, and public requests.
+        Enforces per-account throttling for regular users.
        """
+        # Bypass for superusers and developers
+        if request.user and hasattr(request.user, 'is_authenticated') and request.user.is_authenticated:
+            if getattr(request.user, 'is_superuser', False):
+                return True
+            if hasattr(request.user, 'role') and request.user.role == 'developer':
+                return True
+            # Bypass for system account users
+            try:
+                if hasattr(request.user, 'is_system_account_user') and request.user.is_system_account_user():
+                    return True
+            except Exception:
+                pass
+        
        # Check if throttling should be bypassed
        debug_bypass = getattr(settings, 'DEBUG', False)
        env_bypass = getattr(settings, 'IGNY8_DEBUG_THROTTLE', False)